The views expressed in FMSO publications and reports
are those of the authors and do not necessarily represent the official policy
or position of the Department of the Army, Department of Defense, or the U.S.
Government.

Al Qaeda and the Internet: The Danger of “Cyberplanning”

We can say with some certainty, al
Qaeda loves the Internet. When the latter first appeared, it was hailed as an
integrator of cultures and a medium for businesses, consumers, and governments
to communicate with one another. It appeared to offer unparalleled opportunities
for the creation of a “global village.” Today the Internet still offers that
promise, but it also has proven in some respects to be a digital menace. Its
use by al Qaeda is only one example. It also has provided a virtual battlefield
for peacetime hostilities between Taiwan and China, Israel and Palestine, Pakistan
and India, and China and the United States (during both the war over Kosovo
and in the aftermath of the collision between the Navy EP-3 aircraft and Chinese
MiG). In times of actual conflict, the Internet was used as a virtual battleground
between NATO’s coalition forces and elements of the Serbian population. These
real tensions from a virtual interface involved not only nation-states but also
non-state individuals and groups either aligned with one side or the other,
or acting independently.

Evidence strongly
suggests that terrorists used the Internet to plan their operations for 9/11.
Computers seized in Afghanistan reportedly revealed that al;Qaeda was collecting
intelligence on targets and sending encrypted messages via the Internet. As
recently as 16 September 2002, al Qaeda cells operating in America reportedly
were using Internet-based phone services to communicate with cells overseas.
These incidents indicate that the Internet is being used as a “cyberplanning” tool for terrorists. It provides terrorists with anonymity, command and control
resources, and a host of other measures to coordinate and integrate attack options.

Cyberplanning
may be a more important terrorist Internet tool than the much touted and feared
cyberterrorism option—attacks against information and systems resulting in violence
against noncombatant targets. The Naval Postgraduate School (NPS)
has defined cyberterrorism as the unlawful destruction or disruption of digital
property to intimidate or coerce people.1 Cyberplanning, not defined by NPS
or any other source, refers to the digital coordination of an integrated plan
stretching across geographical boundaries that may or may not result in bloodshed.
It can include cyberterrorism as part of the overall plan. Since 9/11, US sources
have monitored several websites linked to al Qaeda that appear to contain elements
of cyberplanning:

alneda.com, which US officials
said contained encrypted information to direct al Qaeda members to more
secure sites, featured international news on al Qaeda, and published articles,
fatwas (decisions on applying Muslim law), and books.

assam.com, believed to
be linked to al Qaeda (originally hosted by the Scranton company BurstNET
Technologies, Inc.), served as a mouthpiece for jihad in Afghanistan, Chechnya,
and Palestine.

almuhrajiroun.com, an al
Qaeda site which urged sympathizers to assassinate Pakistani President Musharraf.

qassam.net, reportedly
linked to Hamas.

jihadunspun.net, which offered a 36-minute video of Osama bin Laden.2

aloswa.org, which featured
quotes from bin Laden tapes, religious legal rulings that “justified” the
terrorist attacks, and support for the al Qaeda cause.4

drasat.com, run by the
Islamic Studies and Research Center (which some allege is a fake center),
and reported to be the most credible of dozens of Islamist sites posting
al Qaeda news.

jehad.net, alsaha.com,
and islammemo.com, alleged to have posted al Qaeda statements on their websites.

mwhoob.net and aljehad.online,
alleged to have flashed political-religious songs, with pictures of persecuted
Muslims, to denounce US policy and Arab leaders, notably Saudi.5

While it is prudent
to tally the Internet cyberplanning applications that support terrorists, it
must be underscored that few if any of these measures are really anything new.
Any hacker or legitimate web user can employ many of these same measures
for their own purposes, for business, or even for advertising endeavors. The
difference, of course, is that most of the people on the net, even if they have
the capabilities, do not harbor the intent to do harm as does a terrorist or
al Qaeda member.

Highlighting several
of the more important applications may help attract attention to terrorist methodologies
and enable law enforcement agencies to recognize where and what to look for
on the net. Sixteen measures are listed below for consideration. More could
be added.

•The Internet can be used
to put together profiles. Internet user demographics allow terrorists to
target users with sympathy toward a cause or issue, and to solicit donations
if the right “profile” is found. Usually a front group will perform the fundraising
for the terrorist, often unwittingly. E-mail fundraising has the potential to
significantly assist a terrorist’s publicity objectives and finances simultaneously.6

Word searches
of online newspapers and journals allow a terrorist to construct a profile of
the means designed to counter his actions, or a profile of admitted vulnerabilities
in our systems. For example, recent articles reported on attempts to slip contraband
items through security checkpoints. One report noted that at Cincinnati’s airport,
contraband slipped through over 50 percent of the time. A simple Internet search
by a terrorist would uncover this shortcoming, and offer the terrorist an embarkation
point to consider for his or her next operation. A 16 September report noted
that US law enforcement agencies were tracing calls made overseas to al Qaeda
cells from phone cards, cell phones, phone booths, or Internet-based phone services.
Exposing the targeting techniques of law enforcement agencies allows the terrorist
to alter his or her operating procedures. The use of profiles by terrorists
to uncover such material greatly assists their command and control of operations.
The implication is that in a free society such as the United States, you can
publish too much information, and while the information might not be sensitive
to us, it might be very useful to a terrorist.

•Internet access can be
controlled or its use directed according to the server configuration, thus creating
a true ideological weapon. In the past, if some report was offensive to
a government, the content of the report could be censored or filtered. Governments
cannot control the Internet to the same degree they could control newspapers
and TV. In fact, the Internet can serve as a terrorist’s TV or radio station,
or his international newspaper or journal. The web allows an uncensored and
unfiltered version of events to be broadcast worldwide. Chat rooms, websites,
and bulletin boards are largely uncontrolled, with few filters in place. This
climate is perfect for an underfunded group to explain its actions or to offset
both internal and international condemnation, especially when using specific
servers. The Internet can target fence-sitters as well as true believers with
different messages, oriented to the target audience.

In the aftermath
of the 9/11 attacks, al Qaeda operatives used the Internet to fight for the
hearts and minds of the Islamic faithful worldwide. Several internationally recognized
and respected Muslims who questioned the attacks were described as hypocrites
by al Qaeda. Al Qaeda ran two websites, alneda.com and drasat.com, to discuss
the legality of the attacks on 9/11. Al Qaeda stated that Islam shares no fundamental
values with the West and that Muslims are committed to spread Islam by the sword.
As a result of such commentary, several Muslim critics of al Qaeda’s policies
withdrew their prior condemnation.7 Ideological warfare worked.

•The Internet can be used
anonymously, or as a shell game to hide identities. Terrorists have access
to Internet tools to create anonymity or disguise their identities. Online encryption
services offer encryption keys for some services that are very difficult to
break. The website spammimic.com offers tools that hide text in “spam,” unsolicited
bulk commercial e-mail. Speech compression technology allows users to convert
a computer into a secure phone device. Network accounts can be deleted or changed
as required. For example, Internet users can create Internet accounts with national
firms such as America Online (AOL), or can even create an AOL Instant Messenger
(AIM) account on a short-term basis. In addition, anonymous logins are possible
for many of the thousands of chat rooms on the net. If desired, the user can
access cyber cafes, university and library computers, or additional external
resources to further hide the source of the messages.8 An al Qaeda laptop found in Afghanistan had linked with the French Anonymous
Society on several occasions. The site offers a two-volume Sabotage Handbook
online.

Not only are anonymous methods
available for the people who use the Internet, but at times Internet service
providers (ISPs) unwittingly participate in serving people or groups for purposes
other than legitimate ones. The al Qaeda web site www.alneda.com was originally
located in Malaysia until 13 May. It reappeared in Texas at http://66.34.191.223/
until 13 June, and then reappeared on 21 June at www.drasat.com in Michigan.
It was shut down on 25 June 2002. The ISPs hosting it apparently knew nothing
about the content of the site or even the fact that it was housed on their servers.9 This shell game with their website enabled the al Qaeda web to remain
functional in spite of repeated efforts to shut it down. Cyber deception campaigns
will remain a problem for law enforcement personnel for years to come.

•The Internet produces an
atmosphere of virtual fear or virtual life. People are afraid of things
that are invisible and things they don’t understand. The virtual threat of computer
attacks appears to be one of those things. Cyber-fear is generated by the fact
that what a computer attack could do (bring down airliners, ruin critical
infrastructure, destroy the stock market, reveal Pentagon planning secrets,
etc.) is too often associated with what will happen. News reports would
lead one to believe that hundreds or thousands of people are still active in
the al Qaeda network on a daily basis just because al Qaeda says so. It is;clear
that the Internet empowers small groups and makes them appear much more capable
than they might actually be, even turning bluster into a type of virtual fear. The net allows
terrorists to amplify the consequences of their activities with follow-on messages
and threats directly to the population at large, even though the terrorist group
may be totally impotent. In effect, the Internet allows a;person or group
to appear to be larger or more important or threatening than they really are.

The Internet can
be used to spread disinformation, frightening personal messages, or horrific
images of recent activities (one is reminded of the use of the net to replay
the murder of reporter Daniel Pearl by his Pakistani captors). Virtually, it
appears as though attacks are well planned and controlled, and capabilities
are genuine. Messages are usually one-sided, however, and reflect a particular
political slant. There is often little chance to check the story and find out
if it is mere bravado or fact. The Internet can thus spread rumors and false
reports that many people, until further examination, regard as facts.

Recently, the
Arab TV station al-Jazeera has played tape recordings of bin Laden’s speeches
and displayed a note purportedly signed by him praising attacks on an oil tanker
near Yemen, and on US soldiers participating in a war game in Kuwait. These
messages were picked up and spread around the Internet, offering virtual proof
that bin Laden was alive. Most likely bin Laden was seriously injured (which
is why we haven’t seen him in over a year), but his image can be manipulated
through radio or Internet broadcasts so that he appears confident, even healthy.

•The Internet can help a
poorly funded group to raise money. Al;Qaeda has used Islamic humanitarian
“charities” to raise money for jihad against the perceived enemies of Islam.
Analysts found al Qaeda and humanitarian relief agencies using the same bank
account numbers on numerous occasions. As a result, several US-based Islamic
charities were shut down.10 The Sunni extremist group Hizb al-Tahrir uses an integrated web of Internet
sites from Europe to Africa;to call for the return of an Islamic caliphate.
The website states that it desires to;do so by peaceful means. Supporters
are encouraged to assist the effort by;monetary support, scholarly verdicts,
and encouraging others to support jihad.;Bank information, including account
numbers, is provided on a German site,;www.explizit-islam.de.11 Portals specializing in the anonymous transfer of money,
or portals providing services popular with terrorists (such as the issue of
new identities and official passports) are also available.12

The fighters in
the Russian breakaway republic of Chechnya have used the Internet to publicize
banks and bank account numbers to which sympathizers can contribute. One of
these Chechen bank accounts is located in Sacramento, California, according
to a Chechen website known as amina.com.

Of course, there
are other ways to obtain money for a cause via the Internet. One of the most
common ways is credit card fraud. Jean-Francois Ricard, one of France’s top
anti-terrorism investigators, noted that many Islamist terror plots in Europe
and North America were financed through such criminal activity.13

•The Internet is an outstanding
command and control mechanism. Command and control, from a US military point
of view, involves the exercise of authority and direction by a properly designated
commander over assigned and attached forces in the accomplishment of the mission.
Personnel, equipment, communications, facilities, and procedures accomplish
command and control by assisting in planning, directing, coordinating, and controlling
forces and operations in the accomplishment of a mission.

Command and control
on the Internet is not hindered by geographical distance, or by lack of sophisticated
communications equipment. Antigovernment groups present at the G8 conference
in Cologne used the Internet to attack computers of financial centers and to
coordinate protests from locations as distant as Indonesia and Canada. Terrorists
can use their front organizations to coordinate such attacks, to flood a key
institution’s e-mail service (sometimes as a diversionary tactic for another
attack), or to send hidden messages that coordinate and plan future operations.

The average citizen,
the antigovernment protester, and the terrorist now have access to command and
control means, limited though they may be, to coordinate and plan attacks. Further,
there are “cracking” tools available to detect security flaws in systems and
try to exploit them. Attaining access to a site allows the hacker or planner
to command and control assets (forces or electrons) that are not his. The Internet’s
potential for command and control can vastly improve an organization’s effectiveness
if it does not have a dedicated command and control establishment, especially
in the propaganda and internal coordination areas. Finally, command and control
can be accomplished via the Internet’s chat rooms. One website, alneda.com,
has supported al Qaeda’s effort to disperse its forces and enable them to operate
independently, providing leadership via strategic guidance, theological arguments,
and moral inspiration. The site also published a list of the names and home
phone numbers of 84 al Qaeda fighters captured in Pakistan after escaping from
Afghanistan. The aim presumably was to allow sympathizers to contact their families
and let them know they were alive.14

•The Internet is a recruiting
tool. The web allows the user complete control over content, and eliminates
the need to rely on journalists for publicity. Individuals with sympathy for
a cause can be converted by the images and messages of terrorist organizations,
and the addition of digital video has reinforced this ability. Images and video
clips are tools of empowerment for terrorists. More important, net access to
such products provides contact points for men and women to enroll in the cause,
whatever it may be.15 Additionally,

Current versions
of web browsers, including Netscape and Internet Explorer, support JavaScript
functions allowing Internet servers to know which language is set as the default
for a particular client’s computer. Hence, a browser set to use English as
the default language can be redirected to a site optimized for publicity aimed
at Western audiences, while one set to use Arabic as the default can be redirected
to a different site tailored toward Arab or Muslim sensibilities.16

This allows recruiting
to be audience- and language-specific, enabling the web to serve as a recruiter
of talent for a terrorist cause. Recently, the Chechen website qoqaz.net, which
used to be aimed strictly against Russian forces operating in Chechnya, changed
its address to assam.com, and now includes links to Jihad in Afghanistan, Jihad
in Palestine, and Jihad in Chechnya. Such sites give the impression that the
entire Islamic world is uniting against the West, when in fact the site may
be the work of just a few individuals.

•The Internet is used to
gather information on potential targets. The website operated by the Muslim
Hackers Club reportedly featured links to US sites that purport to disclose
sensitive information like code names and radio frequencies used by the US Secret
Service. The same website offers tutorials in viruses, hacking stratagems, network “phreaking” and secret codes, as well as links to other militant Islamic and
cyberprankster web addresses.17 Recent targets that terrorists have discussed
include the Centers for Disease Control and Prevention in Atlanta; FedWire,
the money-movement clearing system maintained by the Federal Reserve Board;
and facilities controlling the flow of information over the Internet.18 Attacks on critical infrastructure control systems would be particularly
harmful, especially on a system such as the Supervisory Control and Data Acquisition
(SCADA) system. Thus any information on insecure network architectures or non-enforceable
security protocols is potentially very damaging.

Terrorists have
access, like many Americans, to imaging data on potential targets, as well as
maps, diagrams, and other crucial data on important facilities or networks.
Imaging data can also allow terrorists to view counterterrorist activities at
a target site. One captured al Qaeda computer contained engineering and structural
architecture features of a dam, enabling al Qaeda engineers and planners to
simulate catastrophic failures.19

With regard to
gathering information through the Internet, on 15 January 2003 Defense Secretary
Donald Rumsfeld observed that an al Qaeda training manual recovered in Afghanistan
said, “Using public sources openly and without resorting to illegal means, it
is possible to gather at least 80 percent of all information required about
the enemy.”20

•The Internet puts distance
between those planning the attack and their targets. Terrorists planning
attacks on the United States can do so abroad with limited risk, especially
if their command and control sites are located in countries other than their
own. Tracing the route of their activity is particularly difficult. The net
provides terrorists a place to plan without the risks normally associated with
cell or satellite phones.

•The Internet can be used
to steal information or manipulate data. Ronald Dick, Director of the FBI’s
National Infrastructure Protection Center, considers the theft or manipulation
of data by terrorist groups as his worst nightmare, especially if the attacks
are integrated with a physical attack such as on a US power grid.21 Richard Clark,
Chairman of the President’s Critical Infrastructure Protection Board, said the
problem of cybersecurity and data protection had its own 9/11 on 18 September
2001 when the Nimda virus spread through Internet-connected computers around
the world, causing billions of dollars of damage. Nimda’s creator has never
been identified. This virus, hardly noticed in the wake of the airliner attacks
and anthrax scares, set off a chain reaction among software companies (including
Microsoft) to get very serious about plugging vulnerabilities.22 In the fall of
2001 a number of unexplained intrusions began occurring against Silicon Valley
computers. An FBI investigation traced the intrusions to telecommunication switches
in Saudi Arabia, Indonesia, and Pakistan. While none was directly linked to
al Qaeda, there remain strong suspicions that the group was somehow involved.23

•The Internet can be used
to send hidden messages. The practice of steganography, which involves hiding
messages inside graphic files, is a widespread art among criminal and terrorist
elements. Hidden pages or nonsensical phrases can be coded instructions for
al Qaeda operatives and supporters. One recent report noted,

Al Qaeda uses
prearranged phrases and symbols to direct its agents. An icon of an;AK-47
can appear next to a photo of Osama bin Laden facing one direction one day,
and another direction the next. The color of icons can change as well. Messages
can be hidden on pages inside sites with no links to them, or placed openly
in chat rooms.24

In addition, it is possible
to buy encryption software for less than $15. Cyberplanners gain an advantage
in hiding their messages via encryption. Sometimes the messages are not even
hidden in a sophisticated manner. Al-Jazeera television reported that Mohammed
Atta’s final message (another advantage of the Internet—the impossibility of
checking sources) to direct the attacks on the Twin Towers was simple and open.
The message purportedly said, “The semester begins in three more weeks. We’ve
obtained 19 confirmations for studies in the faculty of law, the faculty of
urban planning, the faculty of fine arts, and the faculty of engineering.”25 The reference to the various faculties was apparently the code for the
buildings targeted in the attacks.

•The Internet allows groups
with few resources to offset even some huge propaganda machines in advanced
countries. The web is an attractive device to those looking for a way to
attack major powers via the mass media. The “always on” status of the web allows
these individuals not only to access sites day and night but also to scold major
powers and treat them with disdain in a public forum. The web can be used to
counter facts and logic with the logic of the terrorist. There is no need for
the terrorist organization to worry about “the truth,” because ignoring facts
is a standard operating procedure.

Al Qaeda uses
polemics on the net not only to offset Western reporting, but also to counter
Muslims who don’t toe the party line. It defends the conduct of;its war
against the West and encourages violence. The web is important to al;Qaeda
because it can be used to enrage people and neutralize moderate opinion. The
website of the Center for Islamic Studies and Research (according to one source,
a made-up name), for example, has 11 sections, including reports on fighting
in Afghanistan, world media coverage of the conflict, books on jihad theology,
videos of hijackers’ testaments, information about prisoners held in Pakistan
and Guantanamo Bay, and jihad poetry.26

It does not pay
for any major power to lie, as facts can be easily used against them. Even in
the war in Chechnya, there were times when the Chechens would report a successful
ambush of a Russian convoy, and the Russians would deny the event ever happened.
To prove their point, the Chechens would show video footage of the ambush on
the Internet, thus offsetting the credibility of the Russian official media
and undercutting the power of their massive propaganda machine. Al Qaeda officials
are waiting to do the same to Western media reporting if the opportunity presents
itself.

•The Internet can be used
to disrupt business. This tactic requires precise timing and intimate knowledge
of the business climate in the target country. It attempts to harm businesses
by accusing them of guilt by association.

Hizbullah, for example, has
outlined a strategy to cripple Israeli government, military, and business sites
with the aim of disrupting normal economic and societal operations. Phase one
might be to disable official Israeli government sites; phase two might focus
on crashing financial sites such as those on the Israeli stock exchange; phase
three might involve knocking out the main Israeli internet servers; and phase
four might blitz Israeli e-commerce sites to ensure the loss of hundreds of
transactions.27 A final phase
could be to accuse companies that do business with a target government as guilty
by association and call for a boycott of the firm’s products. Arab terrorists
attacked Lucent Technologies in a round of Israeli-Arab cyber skirmishes, for
example.28 All of these plans require insider knowledge in order to carry out the
operation in a timely and accurate manner.

•The Internet can mobilize
a group or diaspora, or other hackers to action. Websites are not only used
to disseminate information and propaganda. They also are used to create solidarity
and brotherhood among groups. In the case of Islamist terrorist
organizations, the Internet substitutes for the loss of bases and territory.
In this respect the most important sites are alneda.com, jehad.net, drasat.com,
and aloswa.org, which feature quotes from bin Laden tapes, religious legal rulings
that justify the terrorist attacks, and support for the al Qaeda cause.29 In addition, website operators have established a site that is “a kind of database
or encyclopedia for the dissemination of computer viruses.”30 The site is 7hj.7hj.com, and it aims
to teach Internet users how to conduct computer attacks, purportedly in the
service of Islam.31

•The Internet takes advantage
of legal norms. Non-state actors or terrorists using the Internet can ignore
Western notions of law and focus instead on cultural or religious norms. At
a minimum, they ignore legal protocols on the Internet. In addition, they use
the net to break the law (when they hack websites or send out viruses) while
at the same time the law protects them (from unlawful surveillance, etc.).

International
investigations into such behavior are difficult to conclude due to the slow
pace of other nations’ investigative mechanisms, and the limited time that data
is stored.32 However, in the aftermath of the events of 9/11 in the United States, the terrorists’
actions actually initiated several changes in the US legal system that were
not to the terrorists’ advantage. For example, in the past, the privacy concerns
of Internet users were a paramount consideration by the US government. After
9/11, new legislation was enacted.

The controversial
USA Patriot Act of 2001 included new field guidance relating to computer crime
and electronic evidence. The Patriot Act is designed to unite and strengthen
the United States by providing the appropriate tools required to intercept and
obstruct terrorism. It establishes a counterterrorism fund in the Treasury Department,
amends federal criminal code that authorizes enhanced surveillance procedures,
provides guidelines for investigating money-laundering concerns, removes obstacles
to investigating terrorism (granting the FBI authority to investigate fraud
and computer-related activity for specific cases), and strengthens criminal
laws against terrorism.33

The “Field Guidance
on New Authorities that Relate to Computer Crime and Electronic Evidence Enacted
in the USA Patriot Act of 2001” provides the authority to do several things.
Authorizations include: intercepting voice communications
in computer hacking investigations; allowing law enforcement to trace communications
on the Internet and other computer networks within the pen register and trap
and trace statute (“pen/trap” statute); intercepting communications of;computer
trespassers; writing nationwide search warrants for e-mail; and deterring and
preventing cyberterrorism. The latter provision raises the maximum penalty for
hackers that damage protected computers (and eliminates minimums); states that
hackers need only show intent to cause damage, not a particular consequence
or degree of damage; provides for the aggregation of damage caused by a hacker’s
entire course of conduct; creates a new offense for damaging computers used
for national security and criminal justice; expands the definition;of a
“protected computer” to include computers in foreign countries; counts prior
state convictions of computer crime as prior offenses; and defines computer
“loss.” In addition, the guidance develops and supports cyber-security forensic
capabilities.34

Terrorists know
when their Internet “chatter” or use of telecommunications increases, US officials
issue warnings. Terrorists can thus introduce false information into a net via
routine means, measure the response it garners from the US intelligence community,
and then try to figure out where the leaks are in their systems or what type
of technology the United States is using to uncover their plans. For example,
if terrorists use encrypted messages over cell phones to discuss a fake operation
against, say, the Golden Gate Bridge, they can then sit back and watch to see
if law enforcement agencies issue warnings regarding that particular landmark.
If they do, then the terrorists know their communications are being listened
to by US officials.35

In conclusion, it should be reiterated that cyberplanning
is as important a concept as cyberterrorism, and perhaps even more so. Terrorists
won’t have an easy time shutting down the Internet. Vulnerabilities are continuously
reported and fixed while computers function without serious interference (at
least in the United States). One hopes that law enforcement and government officials
will focus more efforts on the cyberplanning capabilities of terrorists in order
to thwart computer attacks and other terrorist activities. At a minimum, America
can use such measures to make terrorist activities much harder to coordinate
and control. Paul Eedle, writing in The Guardian, summed up the value
of the Internet to al Qaeda:

Whether bin Ladin or al
Qaeda’s Egyptian theorist Ayman al-Zawahiri and their colleagues are on a
mountain in the Hindu Kush or living with their beards shaved off in a suburb
of Karachi no longer matters to the organization. They can inspire and guide a worldwide movement
without physically meeting their followers— without knowing who they are.36